The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate (ASD) have released an updated joint Cybersecurity Advisory to address the evolving tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware and data extortion group. This alert outlines critical steps for organizations to protect themselves and highlights how BianLian has shifted its focus from encryption to exclusive data exfiltration-based extortion as of January 2024.
Key Findings and TTP Updates:
BianLian targets organizations in critical infrastructure sectors across the United States and Australia. Using methods such as compromised Remote Desktop Protocol (RDP) credentials, open-source tools, and custom backdoors, the group gains unauthorized access to systems. The group’s primary focus is exfiltrating sensitive data, which it threatens to release unless a ransom is paid.
In recent campaigns, the group has exploited vulnerabilities in Windows and ESXi infrastructure, including leveraging the ProxyShell exploit chain. They employ advanced discovery techniques, such as querying domain controllers and using network scanning tools like SharpShares, to enumerate network environments.
Advisory Highlights:
- Shift in Strategy: Initially employing a double-extortion model, BianLian has fully transitioned to exfiltration-based extortion, sparing victim systems from encryption while focusing on data theft and blackmail.
- Mitigations: Organizations are urged to restrict remote desktop access, update PowerShell tools, implement multi-factor authentication (MFA), and maintain offline backups to mitigate the risks.
- Persistence Tactics: BianLian actors often create unauthorized administrator accounts and modify registry settings to maintain access.
- Pressure Techniques: The group is known for tactics such as printing ransom notes via network-connected printers and directly contacting victim employees with threats.
This advisory is part of the broader #StopRansomware initiative and offers detailed guidance on preventing, detecting, and responding to ransomware attacks. It includes actionable recommendations, technical indicators of compromise (IOCs), and mappings to MITRE ATT&CK® techniques to help organizations strengthen their defenses.